1
00:00:12,110 --> 00:00:14,730
Hi and welcome back to another episode on How to Hack.

2
00:00:15,140 --> 00:00:19,810
So over here we have open Web application security project juice shop running.

3
00:00:20,240 --> 00:00:26,060
So once we're on this vulnerable Web application server, we can do all of our testing against the server.

4
00:00:26,450 --> 00:00:31,820
So on a top right corner, we have a couple and we can do a login directly to any account.

5
00:00:32,180 --> 00:00:37,970
So one thing that we want to introduce and learn today is about web developer option so we can click

6
00:00:37,970 --> 00:00:39,260
on to the top right corner.

7
00:00:39,770 --> 00:00:42,350
We can click on a web developer and we can click on toggle.

8
00:00:43,190 --> 00:00:47,690
So once we're entitled TOS, we'll be able to see all the different tools that we have.

9
00:00:47,690 --> 00:00:52,670
So we have Inspector, which can help us inspect elements of a website to understand more about a site.

10
00:00:53,180 --> 00:01:00,080
We have a console which tells us about the items and activities that are happening onto the web developer

11
00:01:00,420 --> 00:01:01,980
and we have debugger.

12
00:01:02,030 --> 00:01:02,290
All right.

13
00:01:02,300 --> 00:01:07,720
So to Duboc, more information so we can look at the JavaScript information that are being loaded.

14
00:01:07,730 --> 00:01:11,840
So we also did a Minifie item.

15
00:01:11,840 --> 00:01:18,040
So we actually try to demystify the JavaScript so that it becomes human readable and we can try to segment

16
00:01:18,050 --> 00:01:19,490
out which already pages.

17
00:01:19,490 --> 00:01:23,900
So we learn about how to access some of this items within the Java script.

18
00:01:24,200 --> 00:01:27,020
And a really important part is on network.

19
00:01:27,020 --> 00:01:32,480
So Network actually help us understand what kind of application programming interfaces could have been

20
00:01:32,480 --> 00:01:39,050
kalt and what kind of data data being transacted between the Web application server and your Web browser.

21
00:01:39,380 --> 00:01:42,850
So of course we did a earlier tutorial about SQL injection.

22
00:01:42,860 --> 00:01:49,930
So over here we can see there was a email field so we can go ahead and actually enter a single quote

23
00:01:49,940 --> 00:01:53,330
or one equal one and we can just enter whatever password we won.

24
00:01:53,600 --> 00:01:59,180
And of course we can click on login and we will login successfully as an admin account.

25
00:01:59,240 --> 00:02:03,500
OK, so this is the first roll that is actually being quarried by the database.

26
00:02:03,500 --> 00:02:08,570
When we tried to do a login, which is why we ended up with this particular account moment, we tried

27
00:02:08,570 --> 00:02:09,110
to log in.

28
00:02:09,620 --> 00:02:13,520
So once we're in, we can see, for example, we have a who am I?

29
00:02:13,550 --> 00:02:17,640
So we have the response and we have all this different data.

30
00:02:18,140 --> 00:02:19,490
So we manage to get some token.

31
00:02:19,820 --> 00:02:21,380
We get to you ML as well.

32
00:02:21,650 --> 00:02:21,950
All right.

33
00:02:21,980 --> 00:02:26,900
So we can see all this data and information that are being sent to us and we even get the IP address

34
00:02:27,290 --> 00:02:28,700
that is also being sent over.

35
00:02:29,050 --> 00:02:32,570
OK, so we get all this different data, all this different information.

36
00:02:32,780 --> 00:02:33,050
All right.

37
00:02:33,050 --> 00:02:38,960
So we can seed the method, whether it's a get or whether it is a post of information.

38
00:02:39,140 --> 00:02:39,400
All right.

39
00:02:39,410 --> 00:02:43,320
So all these are very important points to understand about what's happening.

40
00:02:43,640 --> 00:02:48,450
So the next thing that we want to look at is in terms of understanding about the account details.

41
00:02:48,770 --> 00:02:54,770
So, for example, over here, if I click on their account and I click under all this and Paghman and

42
00:02:54,770 --> 00:02:59,180
if I click on Save Address, for example, I can again go into web developer.

43
00:03:00,200 --> 00:03:00,320
Right.

44
00:03:00,320 --> 00:03:01,550
And we can click on network.

45
00:03:02,660 --> 00:03:07,880
And again, we can try to reload the site so we can actually do a refresh and we can see the kind of

46
00:03:07,880 --> 00:03:12,500
information that are being followed to us from the Web application server.

47
00:03:12,800 --> 00:03:13,190
All right.

48
00:03:13,190 --> 00:03:17,610
So we can click on address and we can see some information.

49
00:03:17,660 --> 00:03:17,920
All right.

50
00:03:17,940 --> 00:03:20,090
So we can click on, for example, response.

51
00:03:20,570 --> 00:03:24,920
So we have the mobile number over here, which is actually not being shown.

52
00:03:25,140 --> 00:03:25,490
All right.

53
00:03:25,500 --> 00:03:26,900
We can get the mobile number.

54
00:03:27,260 --> 00:03:29,690
We can get the zip code that is also being shown here.

55
00:03:30,080 --> 00:03:32,270
We have tast and so on, so forth.

56
00:03:32,690 --> 00:03:32,880
All right.

57
00:03:32,950 --> 00:03:35,810
So very quickly, we can find out all these different items.

58
00:03:35,810 --> 00:03:39,230
So we found the hidden mobile number that is actually not here at all.

59
00:03:39,420 --> 00:03:46,130
OK, so the next thing we can try to do is also click on a cow, click under orders and Paghman and

60
00:03:46,130 --> 00:03:49,640
we can click under these payment options.

61
00:03:49,640 --> 00:03:51,290
So you click on payment options.

62
00:03:51,590 --> 00:03:58,940
What you can see here is we have all this asterisked it actually Moscow, the first 12 characters of

63
00:03:58,940 --> 00:03:59,680
a credit card.

64
00:04:00,020 --> 00:04:04,410
So in our case, we are only seeing the last four digits of the credit card.

65
00:04:04,790 --> 00:04:08,690
This is a gain for security purposes and for all these different details.

66
00:04:08,690 --> 00:04:11,610
So we can see the name and we can see all this different data.

67
00:04:11,990 --> 00:04:17,330
So what we can do, because as a result of looking at a network traffic that's being sent in and out

68
00:04:17,510 --> 00:04:23,300
between the Web browser as well as the Web application server, we can also trying to find out what

69
00:04:23,480 --> 00:04:25,400
are the exact credit card details.

70
00:04:25,790 --> 00:04:32,360
And if I click over here on the cards immediately, if I zoom in a little more, we can see the actual

71
00:04:32,360 --> 00:04:35,540
cut numbers and we see the ending is four, three, six, eight.

72
00:04:35,870 --> 00:04:40,750
So this coincides with the safe cars that we have over here.

73
00:04:40,760 --> 00:04:43,150
So immediately we can find all those details and data.

74
00:04:43,520 --> 00:04:43,940
All right.

75
00:04:44,210 --> 00:04:50,590
And likewise, for the second credit card, we are also able to find out the full credit card details

76
00:04:50,600 --> 00:04:52,180
and why is that the case?

77
00:04:52,220 --> 00:04:56,280
The reason is because a lot of times the Web application server.

78
00:04:56,450 --> 00:04:56,770
All right.

79
00:04:56,780 --> 00:05:03,080
So whether it is a off the shelf web application server or whether it is a custom built from ground

80
00:05:03,080 --> 00:05:09,560
up from ground zero, whatever the case is, sometimes the developers may have coded the credit card

81
00:05:09,560 --> 00:05:09,980
details.

82
00:05:10,040 --> 00:05:16,550
Or some data or information is being sent from the Web application server into the Web browser, and

83
00:05:16,550 --> 00:05:22,010
what we do is that the only changed a value later on using JavaScript, which means that we actually

84
00:05:22,010 --> 00:05:28,760
get the full data into our browser and our browser will manipulate the display into asterisks.

85
00:05:28,770 --> 00:05:34,280
And that is why we're able to see it through the use of network tap on the web developer.

86
00:05:34,790 --> 00:05:37,850
So once again, I hope you've learned something valuable in today's tutorial.

87
00:05:38,090 --> 00:05:42,290
And if you like what you watch, remember to like, share and subscribe to channel so that you can be

88
00:05:42,290 --> 00:05:44,420
kept abreast of the latest cyber security.

89
00:05:44,900 --> 00:05:46,490
Thank you so much once again for watching.